Information Security News
Millions of smartphones could be remotely commandeered in attacks that allow hackers to clone the secret encryption credentials used to secure payment data and identify individual handsets on carrier networks.
The vulnerabilities reside in at least 500 million subscriber identity module (SIM) cards, which are the tiny computers that store some of a smartphone's most crucial cryptographic secrets. Karsten Nohl, chief scientist at Security Research Labs in Berlin, told Ars that the defects allow attackers to obtain the encryption key that safeguards the user credentials. Hackers who possess the credentials—including the unique International Mobile Subscriber Identity and the corresponding encryption authentication key—can then create a duplicate SIM that can be used to send and receive text messages, make phone calls to and from the targeted phone, and possibly retrieve mobile payment credentials. The vulnerabilities can be exploited remotely by sending a text message to the phone number of a targeted phone.
"We broke a significant number of SIM cards, and pretty thoroughly at that," Nohl wrote in an e-mail. "We can remotely infect the card, send SMS from it, redirect calls, exfiltrate call encryption keys, and even hack deeper into the card to steal payment credentials or completely clone the card. All remotely, just based on a phone number."
SANS Institute and CrowdStrike Partner to Offer "Hacking Exposed Live ...
MarketWatch (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...
Apple closed access to it's developer site after learning that it had been compromissed and developers personal information had been breached .
In the notice posted to the site, Apple explained that some developers personal information like name, e-mail address and mailing address may have been accessed. The note does not mention passwords, or if password hashes were accessed.
One threat often forgotten in these breaches is phishing. If an attacker has access to some personal information associated with a site, it is fairly easy to craft a reasonably convincing phishing e-mail using the fact that the site was breached to trick users to reset their password. These e-mail may be more convincing if they include the user's user name, real name or mailing address as stored with the site.
A video on YouTube claims to show records obtained in the compromisse  . The video states that 100,000 accounts were access to make Apple aware of the vulnerability in its site and that the data will be deleted.
Posted by InfoSec News on Jul 22Forwarded from: deepsec (at) deepsec.net
Posted by InfoSec News on Jul 22http://www.zdnet.com/ubuntu-forums-hacked-1-82m-logins-email-addresses-stolen-7000018336/
Posted by InfoSec News on Jul 22http://articles.timesofindia.indiatimes.com/2013-07-20/india/40694913_1_cyber-attacks-ntro-guidelines
Posted by InfoSec News on Jul 22http://thehill.com/blogs/hillicon-valley/technology/312393-hack-of-congressional-vendor-shows-cyber-vulnerability
Posted by InfoSec News on Jul 22http://www.ibtimes.com/selling-secrecy-israel-turning-worlds-cyber-problems-economic-opportunities-1353117